1. Introduction & Controller Information

This Privacy Policy ("Policy") explains how Dr. Salah Kary ("we," "us," "our," or "Controller") collects, uses, discloses, and otherwise processes personal data through our website located at drsalahkary.com ("Website"). We are committed to protecting your privacy and ensuring transparency in how we handle your information in compliance with the Saudi Arabia Personal Data Protection Law (PDPL) and applicable healthcare regulations.

Data Controller Details

Dr. Salah Kary holds the following professional qualifications and credentials: MD, FRCPC (Fellow Royal College of Physicians of Canada), and EMBA. As a Senior Consultant Interventional Radiologist, all services offered are subject to applicable Saudi healthcare regulations and professional standards.

2. Scope & Applicability

This Privacy Policy applies to all visitors and users of drsalahkary.com ("Users," "you," or "your"). By accessing, browsing, or using our Website in any manner, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

• Geographic Scope: This Website is offered to and intended for residents and patients in Saudi Arabia. We do not knowingly offer services to individuals outside the Kingdom of Saudi Arabia.
• Age Eligibility: This Website is intended for users who are 18 years of age or older. By using the Website, you represent that you are at least 18 years old or have obtained parental or guardian consent.
• Language: This Policy is provided in English. If translated into Arabic or other languages for convenience, the English version shall be controlling in case of discrepancy.
• Updates to Scope: We reserve the right to modify the geographic scope or eligibility criteria at any time by updating this Policy. Continued use of the Website constitutes acceptance.

3. Legal Basis & Regulatory Framework

Our collection and processing of personal data is conducted in strict compliance with the following regulatory frameworks:

Saudi Arabia Personal Data Protection Law (PDPL)

• Royal Decree No. M/19 dated September 16, 2021
• Amended by Royal Decree No. M/148 dated March 27, 2023
• Enforcement commenced: September 14, 2023
• Full compliance required by: September 14, 2024
• Regulator: Saudi Data & AI Authority (SDAIA)

The PDPL is Saudi Arabia's primary legislation governing collection, processing, use, and disclosure of personal data. It establishes rights for data subjects and obligations for data controllers and processors.

Law of Practicing Healthcare Professions

Saudi regulations governing medical practice require healthcare professionals to comply with professional standards, maintain patient confidentiality, obtain informed consent, and adhere to medical ethics principles. Dr. Salah Kary operates under these requirements as licensed by the Saudi Commission for Health Specialties (SCFHS).

Health Information Protection Standards

Under PDPL Articles 23 and 26, health information and medical data are classified as sensitive personal data and receive enhanced protection, including:

• Explicit consent for processing
• Limited collection (necessity principle)
• Restricted access and use
• Enhanced security safeguards
• Prohibition on transfer without justified legal basis

SDAIA Oversight

SDAIA serves as the regulatory authority responsible for PDPL enforcement and provides guidance on compliance standards. For more information, visit www.sdaia.gov.sa.

4. Information We Collect

4.1 Personal Data Collected Directly

We collect personal data directly from you when you voluntarily submit the Contact Us form on our Website to inquire about appointment booking. The information we collect includes:

All personal data collected through the contact form is processed only for the purpose of responding to your appointment inquiry.

4.2 Automatically Collected Information

When you visit our Website, certain information is automatically collected through technical means:

• IP Address & Device Information: IP address, browser type/version, device type, operating system, device identifiers
• Website Usage Data: pages visited, time spent, links clicked, referral sources, search queries (if applicable), downloads (if applicable)
• Cookies & Tracking Technologies: unique identifiers, session data, Webflow platform tracking

4.3 Google Analytics Data

Upon implementation of Google Analytics, the following information may be collected:

• Anonymized user IDs and session IDs
• Page views and user journey tracking
• Bounce rate and session duration
• Traffic sources
• Geographic location (city/region level only)
• Device categories and OS information

Collection Method: Google Analytics operates through cookies and pixel tracking. No collection occurs until you provide explicit consent via our cookie consent banner (see Section 12).

4.4 WhatsApp Communication Data

• Your name and phone number (as provided to Meta/WhatsApp)
• Message content and attachments
• Timestamp of communications
• Metadata regarding message delivery and read status

WhatsApp employs end-to-end encryption for messages. However, Meta (WhatsApp's parent company) processes certain metadata as per their privacy policy.

4.5 What We Do NOT Collect

• ❌ Medical histories or comprehensive health records
• ❌ Insurance information or payment details
• ❌ Credit card or banking information (no payments processed via Website)
• ❌ Passport or national ID numbers
• ❌ Biometric data or genetic information
• ❌ Financial data beyond appointment-related information
• ❌ Location data (precise GPS tracking disabled)
• ❌ Video or audio recordings (without explicit separate consent)
• ❌ Family or dependent information (unless voluntarily provided)

5. How We Use Your Information

We use personal data collected through our Website for the following purposes:

5.1 Appointment Inquiry Processing

• Acknowledge receipt of your inquiry
• Contact you to discuss availability and scheduling
• Provide information about services and consultation procedures
• Confirm appointment details and office hours

Duration: Active processing until appointment is scheduled or you withdraw your inquiry.

5.2 Communication & Contact

• Responding to questions or inquiries
• Sending appointment reminders and confirmations
• Notifying you of cancellations or rescheduling
• Providing updates related to your consultation request

Channels: WhatsApp, phone call, email.

5.3 Website Improvement & Analytics

• Analyzing usage patterns
• Identifying technical issues
• Enhancing user experience
• Understanding relevant content/services

5.4 Legal Compliance & Record Keeping

• Maintaining records for legal/regulatory compliance
• Responding to Saudi authorities (SCFHS, MOH, SDAIA)
• Defending against legal claims
• Complying with court orders or governmental requirements
• Preventing fraud or illegal activity

5.5 Website Security & Operations

• Detecting and preventing unauthorized access
• Protecting against cybersecurity threats
• Ensuring website availability and functionality

5.6 Limited Use for Service Improvement

• Identifying trends in appointment requests
• Evaluating service demand and resource allocation
• Aggregated, anonymized insights

6. Legal Basis for Processing

6.1 Consent

When you submit the Contact Us form, you provide explicit consent for us to process your contact details for the purpose of responding to your inquiry and scheduling an appointment.

• Withdrawal: You may withdraw consent at any time by contacting us (Section 11.8)
• Effect: We will cease processing; however, necessary retained data may remain for appointment fulfillment

6.2 Contractual Necessity

We process your contact information as necessary to schedule and communicate regarding the appointment request.

6.3 Legitimate Interest

• Website security and operations
• Service improvement and user experience
• Legal compliance and regulatory responses

6.4 Legal Obligation

We may process personal data when required by Saudi authorities, courts, or law enforcement.

6.5 Special Basis for Health Information

• Explicit Consent
• Medical Necessity (for consultation you request)
• Legal Obligation (if required by healthcare regulations/authorities)

7. Data Sharing & Disclosure

7.1 Third-Party Service Providers

Webflow (Website Hosting & Form Processing)

Google Analytics (Upon Implementation)

WhatsApp/Meta (Communication)

7.2 Legal Disclosures

• Saudi authorities (SDAIA, SCFHS, MOH) during lawful investigations
• Court orders or subpoenas from Saudi courts
• Law enforcement agencies for public safety or crime investigations
• Mandatory legal requirements or regulatory directives
• Protection of rights (fraud prevention, enforcing Terms of Use)

7.3 No Sale of Personal Data

We do not sell, rent, lease, or transfer personal data to third parties for commercial purposes.

7.4 Aggregated & Anonymized Data

We may share aggregated/anonymized data for research, analytics, service improvement, and insights.

7.5 Disclosure Upon Merger or Acquisition

If a merger/acquisition occurs, personal data may be transferred subject to this Privacy Policy or an updated policy.

8. International Data Transfers

8.1 Cross-Border Transfer Overview

Our Website hosting provider (Webflow) stores data on servers located in the United States. Submissions may be transmitted to and processed in the USA.

8.2 Safeguards

• Data Processing Addendum (DPA)
• Standard Contractual Clauses (SCCs)
• TLS/SSL encryption in transit and at rest
• Access controls and audits
• Purpose limitation and necessity principle

8.3 Your Acknowledgment

By using the Website and submitting the contact form, you acknowledge the cross-border transfer to USA-based servers subject to safeguards described in this Policy.

8.4 No Independent Transfer by Dr. Salah Kary

Dr. Salah Kary does not independently transfer personal data outside Saudi Arabia. Transfers are handled by Webflow as a processor.

8.5 Restricted Transfers

• Required by law or court order
• Explicit consent from you
• Adequacy decision / appropriate safeguard in place
• Necessary for medical emergency (as permitted)

9. Data Security & Protection

We implement technical, organizational, and administrative measures to protect personal data from unauthorized access, alteration, disclosure, and destruction.

9.1 Technical Measures

• Encryption in Transit: TLS/SSL, HTTPS for all forms
• Encryption at Rest: database encryption, key management
• Firewall Protection: intrusion detection, DDoS protection
• Access Controls: RBAC, MFA where applicable

9.2 Organizational Measures

• Data minimization
• Need-to-know access restrictions
• Confidentiality agreements
• Vendor management and audits

9.3 Administrative Measures

• Staff training
• Incident response procedures
• Backups & disaster recovery
• Security policies and annual reviews

9.4 Webflow Security Standards

• ISO 27001 certification
• SOC 2 Type II compliance
• Regular penetration testing
• 24/7 security monitoring

More info: www.webflow.com/security

9.5 Limitation

No system is 100% secure. Internet transmission has inherent risks. Please protect your device and do not share your information with unauthorized parties.

9.6 Data Breach Notification

• 72-hour notification: We notify affected individuals and SDAIA within 72 hours of discovery (PDPL Article 36).
• Breaches involving sensitive health data may require immediate notification.

10. Data Retention

10.1 Retention Principles

• Necessity
• Proportionality
• Regular review and deletion
• Security during retention

10.2 Retention Periods – Contact Form Submissions

Automatically Collected Data

10.3 Deletion Procedures

• Cryptographic erasure
• Data shredding
• Physical destruction (for physical records)

10.5 Right to Erasure

You may request deletion before expiry unless retention is legally required.

11. Your Data Rights & Choices Under PDPL

11.1 Right to Access

• Request a copy of personal data held
• Understand purposes, recipients, retention
• Response timeline: 30 days (extendable)

11.2 Right to Rectification

• Correct name, phone, email
• Response timeline: 30 days

11.3 Right to Erasure

• Request deletion under specific grounds
• Exceptions apply for legal obligations/claims

11.4 Right to Restrict Processing

• Store data but pause active processing during disputes

11.5 Right to Data Portability

• Receive data in CSV / PDF / JSON (on request)

11.6 Right to Object

• Object to certain processing (e.g., marketing/profiling)

11.7 Right to Withdraw Consent

• Withdraw consent for future processing

11.8 How to Exercise Your Rights

11.9 Right to Lodge a Complaint with SDAIA

12. Cookies & Tracking Technologies

12.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They contain information about browsing activity and are sent back to the server on subsequent visits.

12.2 Cookies Used on Our Website

Essential/Strictly Necessary Cookies (Always Active):

Performance/Analytics Cookies (Requires Consent):

12.4 Cookie Consent Mechanism

12.5 Managing Cookies

• Chrome → Settings → Privacy & Security → Cookies
• Firefox → Preferences → Privacy & Security
• Safari → Preferences → Privacy
• Edge → Settings → Cookies and site permissions

12.8 Do Not Track

We do not respond to DNT signals. You can disable tracking via the consent banner or browser settings.

13. Health Information & Sensitive Data

13.1 Classification

Health information is classified as sensitive personal data under PDPL Articles 23 and 26.

13.2 Our Policy

• We do NOT routinely collect comprehensive health information through the website.
• If you voluntarily provide health information, it is treated as sensitive data with enhanced protections.

13.5 No Online Diagnosis

• ❌ Online medical diagnosis
• ❌ Remote treatment
• ❌ Prescription services

All medical decisions require an in-person consultation.

14. Children’s Privacy

• Not directed to children under 13
• No intentional collection from minors without parental consent
• Minors 13–18 only with parental knowledge and consent

15. Third-Party Links

• We may link to third-party websites (MOH, SCFHS, hospitals, resources)
• We do not control third-party privacy practices
• Please review their policies before sharing data

16. Changes to This Privacy Policy

• We may update this policy as laws or practices change
• Minor updates may occur without notice
• Material changes may be notified by email, banner, or WhatsApp

17. Privacy Contact & Data Protection Officer

Primary Privacy Contact: Dr. Salah Kary

• Email: info@salahkary.com
• WhatsApp: +966 53 399 4880
• Address: Saudi Arabia, Jeddah123
• Office Hours: Mon–Fri, 9:00 AM–5:00 PM (Jeddah Time)

18. Webflow Data Processing Details

• Webflow acts as a data processor on behalf of Dr. Salah Kary (Controller)
• DPA governs the relationship and protections
• Webflow maintains security standards such as ISO 27001 and SOC 2 Type II
• Subprocessors may be used; Webflow maintains a list on their privacy page

19. Contact Information for Privacy Matters

19.1 Contact Methods

19.2 Response Timeline Expectations

20. Governing Law & Jurisdiction

• Governing law: Saudi PDPL and Law of Practicing Healthcare Professions
• Jurisdiction: Courts of Jeddah, Kingdom of Saudi Arabia
• Dispute resolution: negotiation → escalation → optional SDAIA complaint → litigation

21. Final Acknowledgment

• ✓ You have read and understood this Privacy Policy
• ✓ You agree to be bound by its terms
• ✓ You understand how data is collected, used, and protected
• ✓ You understand your PDPL rights and how to exercise them
• ✓ You consent to processing and cross-border transfer where applicable

Version History

Thank you for your trust in Dr. Salah Kary's practice. Your privacy is our priority.